Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
I added snortdb-extra.gz into my Snort database AFTER I created my base_conf.php when I realized BASE wasn't showing any "Portscan traffic". I recieve spp_portscan alerts in /var/log/snort/alerts but not in BASE. What do I need to do?
Are your alerts being logged to the database also? BASE will not read from files currently.
I have a variation of this same question. I am getting SPP_Portscans but they are showing up under TCP. With ACID, they were showing up under Portscans.
I previously applied the snortdb-extra.gz tables in Mysql. I am logging to Mysql the Mysql database too. I updated Snort 2.2.0 and am using Base 1.0
If you are using the older portscan detector under snort than newer versions of base will ignore the portscan alerts.
I have patched my version of base 1.0.1 using some bits of code from 0.9.7 to get spp_portscans working correctly again.
If anyone wants I could post a patch file to accomplish this, but the better answer would be to use the new portscan detector in snort.
We are looking at seeing if we can detect the version of snort running and display either one depending on the version.
That sound great. Actually, I don't think it's necessary to go all the way to autodection. With the number of users such as myself using spp_portscan shrinking all the time a simple hand edited boolean value in the config file would more than sufficient.
As always BASE ROCKS ! :-)
That would work, we just try and stay away from conf values as for some reason they are harder to support.
Allright, thanks for all the info folks. I broke down and compiled snort 2.3.0RC2. The old, obsolete spp_portscan still does a few things better that the others don't but I'm running the sfportscan preprocessor now in addition which seems to work pretty well and its alerts do show up in the portscan section. To be particularly honest, I didn't have a clue where to begin looking in the database to see if Snort was actually logging the stuff. I'm glad to know that it wasn't my installation....I've noticed I don't get SPADE alerts through BASE either. Is this more of the same?
We agree that the old way needs to be supported. We are working on a patch for the next version which will support both.
I personally dont run SPADE so I can't answer that part of the question. Sorry.
Oh yeah, BTW, I do intend on still using the spp_portscan preprocessor...so I would love a patch to fix this. I don't mind doing it by hand if it isn't too much editing. Thanks ever-so-much.